What GDPR means for Authors and Bloggers

On May 25, 2018 there are some major changes coming through the pipelines under a new law called the General Data Protection Regulation (GDPR). It’s being implemented to protect your constituents (aka readers, fans, i.e. bookish friends you have any type of data on) in the European Union (EU). Now before you mentally go shutting down and closing your browser thinking this doesn’t pertain to you because you don’t live in Europe or because you’re not a “marquee author” or “big blogger” … there is a damn good chance it does. So grab your coffee and listen up!

We live in a digital world where data privacy is of the utmost importance, so I predict this will be the first in a long line of countries creating new, protective laws for their citizens. So adapt early to cover yourself!

Let’s dive in and start at the very beginning, shall we?

Don’t miss my podcast breaking down the basics of GDPR with Stephen Campbell of The Author Biz. Just click on the image to head on over to the podcast.

What is GDPR?

The General Data Protection Regulation, otherwise referred to as GDPR, is a new legislature that take effect on May 25, 2018. Simply stated, the GDPR is the most significant ruling in the digital world for the past two decades and focuses on the data keepers to be transparent with everyone. And let’s be honest … the online world of 20 years ago hinged on AOL, that horrible dial-up sound, tragically awesome Geocities websites, and endless strings of pop-up banner ads that you couldn’t close fast enough. Things have changed and as a result the rules need a spit shine.

But don’t be annoyed that things are changes. Because what’s about to go down is a VERY GOOD THING.

The GDPR strives to put the control back in the hands of European Citizens when it comes to their personal information. Essentially it means that at any point in time, an individual can retrieve details on what personal information is being held, who is using it, how they’re using it, how it’s being store, they can request copies of this data, and even more, they can request to be completely deleted from their system (which goes beyond the simple “Unsubscribe” button). For some industries this has major implications (think higher education where you can essentially erase an individual’s academic record with this request or even banking, where you’d risk losing a digital record financial and credit statements).

Fortunately for our industry, the implications aren’t exactly life and death. But they’re still extremely important to understand and comply with, nonetheless.

Why is it important to me as an Author or Blogger?

I know what you’re thinking. This is some high-flying law that only major corporations need to worry about. Well, you’re wrong.

Anyone who has data or personal information kept about their EU readers or uses their information in marketing efforts will need to get their poop in a group.

Take some time and think about it …

Do you have a newsletter list with at least one person in the EU?

What about Facebook ads, do you do any targeting where someone in the EU could come across and engage with your ad?

Are you loading your mailing list into social media for re-targeting campaigns?

ChatBots where you’re messaging someone in Europe?

Paypal? Square? Any type of eCommerce platform where you’re accepting credit card information from one of your readers?

All of this (and dozens more scenarios) mean you need to educate yourself and prepare for the coming changes in data protection.

If one of your readers comes to you and elects to exercise their rights, you need to know how to fulfill the request. Which for many of us will mean relying on our third party partners. But there will be some instances where you are the gatekeeper of said data and need to handle the request.

What can I do to comply?

Fortunately for you, if you use a third party data processor (i.e. a company that hosts the information you’ve collected like your newsletter platform or online payment system or general CRM program), most of them have been busy making enhancements to their platforms to be compliant, which in turn makes you compliant … kind of. But it’s still up to you to understand what data they store on your readers, how they store this info, and how they’re using this data.

Furthermore, there’s a really good chance you’ve got other lists of reader data floating around your inbox or Google drive in spreadsheets or unprotected documents. If you’re nodding your head remembering all of those names, emails, and phone numbers you collected from signings on little slips of paper, this is something you need to address and get loaded into your database with a documented trail of how and when the individuals opted-in for your communications.

I suggest you begin by taking the time to look at your list of partners who make your author and blogging life easier. Off the top of my head, some of the popular ones are going to be Facebook, MailChimp, MailerLite, Author Reach, Bookfunnel, InstaFreebie, Square, and PayPal. Obviously there are lots more than are mentioned here, but it’s late at night right now and I’m not going into some deep rabbit hole of all vendors in Bookville.

I do want to call out that MailChimp has done a bang up job communicating their GDPR strategy to help its users navigate this new territory. So even if you’re not actively using the MailChimp platform, I would suggest reading what they’ve put out on the web. On May 14th, MailChimp released information on new GDPR tools and changes to their contact management system for compliance.

Additionally, on March 14th, Mailer Lite came out with its official update, which can be read here. They followed it up with additional features supporting GDPR, which can be found here on their website.

In April, Instafreebie published their pending changes to the platform to become compliant with GDPR. Their most significant change is going to be supporting the mandatory opt-in on giveaways that they promote, effective May 25th.

So do your homework and learn what your trusted partners are doing on your behalf for GDPR, so if and when the need arises, you know how to respond to the data request in a timely fashion.

Opt-In. Opt-Out.

One key thing to remember is that individuals in the EU must explicitly opt-in to communications from you.

This is worth repeating.

ONCE GDPR IS IN FULL EFFECT, ANY EUROPEAN CITIZEN MUST EXPLICITLY ASK TO RECEIVE YOUR FABULOUS NEWSLETTER.

No, you cannot just add them to your email list based on some unsanctioned sweepstakes that you are running on your own via excel spreadsheets.

Having them complete a Google Form and then copy and pasting their deets into your mailing list? Not so much.

With GDPR, you must be able to provide a proof trail of how and when they opted-in, should you ever be asked to provide substantiation. That means you’ll want to be leveraging landing pages and third party sign-up forms that funnel directly into their respective database.

For those of you who use MailChimp or Mailer Lite, I highly recommend you download and start using their subscribe apps (linked here) at your upcoming events. iCapture is another excellent program where they can digitally provide you with their data in a safe and transparent way. Readers can sign up on a mobile device or tablet and drop right into your constituent database — no wifi needed!

Industry Pitfalls

The biggest implication I can think of will be for those doing unsanctioned giveaways and newsletter email swaps. If you’re doing this, we need to have a serious come to Jesus because this is simply not okay from a best practices and privacy standpoint. I cringe anytime I hear of authors sharing emails of their readers because if my email were on that list, I would be livid to learn my personal information was being passed around like a cheap hooker.

And we wonder why identity theft is so prevalent these days?!

So basically, any kind of giveaway or promotion where someone collects personal information and then distributes it to a group of participating authors or bloggers via email, excel, csv, etc. should be avoided. First of all, it’s shady. Second of all, it’ll be illegal under the GDPR.

However, if the data is being legally collected via a third party vendor, and the participants clearly understand they are signing up to receive communications from all participating authors after the fact, and that vendor then safely disseminates said information to all of the participating authors directly into their database/CRM program of record, then you’re covered.

Penalties for non-compliance

This is bad and should the hammer fall upon you, you need to know exactly what to expect … fines for noncompliance are to the tune of $20 million Euros.

Ouch.

They’re going to go out guns blazing to enforce this, and it doesn’t matter if you’re a Fortune 500 company or an indie author. You don’t want to be the one who gets stuck in the crossfire simply because you didn’t educate and prepare yourself.

All of this information is super top line and obviously doesn’t dive into the complexities of the new law. And this information shared is for general purposes only and is not intended as legal advice. I am simply sharing what I know for the betterment of the indie world and to help create awareness before things kick into gear this May.

If you have questions about the General Data Protection Regulation, you should consult your local RWA chapter, writer’s guild, or legal counsel for additional information.

Think what you see is helpful? Subscribe to my blog to stay on top of the Authors Helping Authors series. I’ve got more SEO posts scheduled and have some helpful AMS content in the works, too! And, of course, be sure to follow me over on Facebook and Twitter.

Last Updated May 16th to include The Author Biz GDPR Podcast, Mark Dawson’s Podcast on GDPR and Privacy Policies, new MailerLite features, and MailChimp tools.Last Updated May 1, 2018 to include Google Analytics, Facebook and BookSweeps GDPR statements.Last Updated April 6, 2018 to include Instafreebie support information.
Last Updated March 14, 2018 to provide Mailer Lite support information.

30 thoughts on “What GDPR means for Authors and Bloggers”

So my question in reference to your comment about facebook ads, so should we exclude anyone in EU from all ad targeting then. I mean I completely understand the newsletter thing but to say “someone in the EU could come across and engage with your ad” that seems outrageous 😦 Any information on that would be appreciated 🙂

So for something like Facebook ads, there’s no reason to exclude EU from your targeting (unless you want to). If someone from the EU challenges the data used for the specific targeting, this falls upon Facebook and not you to fulfill the exercising of the constituents rights. And it can go deeper than just the targeted interests they self-identify with on their profile, but also data collected by your Facebook pixel for retargeting and lookalike campaigns as well. Does that help?

Oh, also! Say a user is a subscriber to your mailer lite list and they choose to exercise the right to be forgotten. However, you’ve already taken your list data and uploaded it for highly targeted campaign. Because your mailer lite data isn’t talking to your Facebook data (because you manually exported it and uploaded it into Facebook), YOU would be responsible for removing their information from the retargeting list within Facebook. Make sense?

Also, mailchimp recently began adding Facebook advertising opportunities targeting your mailing list directly within the mailchimp platform. Under this kind of circumstance, mailchimp would be responsible for both the mailing list *and* the Facebook data because you didn’t export their data and then reupload it onto the other platform. It’s all controlled within the third party in this circumstance.

Great article. Thanks. Regarding what you said above about Mailchimp being responsible for sending data to FB for you, they are not taking responsibility and are definitely saying, you, the author, is responsible. They are calling themselves the processor and you, the author, they are calling the controller, who takes the hit: In the context of the MailChimp application and our related services, in the majority of
circumstances, our customers are acting as the controller. Our customers, for example, decide
what information from their contacts or subscribers is uploaded or transferred into their
MailChimp account; direct MailChimp, through our application, to send emails to certain
subscribers on their email distribution lists; and instruct MailChimp to place advertisements on
their behalf on third party platforms such as Facebook or Instagram. MailChimp is acting as a
processor by performing these and other services for our customers.
Anyway, I find the whole thing rather scary and overwhelming but am trying to get my arms around it. I also think that Instafreebie’s group giveaways were awesome list builders and am sad to see that being discontinued.

My apologies for any confusion on this one, Sydney! In the case of MailChimp and FB (presuming you’re referencing using your mailing list data for a custom audience in a Facebook campaign), I would absolutely be the one responsible as I would manually be exporting the data from MailChimp and then loading it into Facebook. If one of those users exercised their right to be forgotten, I would have to go manually go into Facebook and remove their information from the campaign. Does that make sense?

HOWEVER, if I use the pre-existing feature built into MailChimp that creates FB campaigns targeting your mailing list, in that case it would be automated and should (in theory) be automatically removed since it’s being controlled through the MailChimp platform and no manual extraction occurred.

But yes …. ultimately, we, the authors, are the ones in control. Any third party vendor we use are making changes to become compliant to retain business. The whole thing is indeed scary. But I think you’ll find that without an abundance of list builders out there, you’re list leads will become healthier and open rates will increase as you won’t have people subscribing just for a chance to win a freebie or something of the like. The one time I did a list building promo my unsubscribe rates spiked.

Unfortunately, no, the message I read from Mailchimp said that not even in the case of using their pre-existing feature built into MC that creates FB campaigns will they take any responsibility for adhering to the GDPR. They said, as quoted here: “and instruct MailChimp to place advertisements on
their behalf on third party platforms such as Facebook or Instagram. MailChimp is acting as a
processor by performing these and other services for our customers.”

Anyway, I hope you’re right about better lists and lower unsubscribe rates. Remember this is only for the EU really but the ripples will spread to everyone. Thanks again for a good article.

Thank you for the helpful article. It’s good to find some useful info for bloggers about GDPR.

I have a question. I have a blog which does not have a mail list and for the moment I don’t earn any money from it. It’s more like a hobby thing. What exactly do I need to do to make my blog compliant? I use Google analytics and facebook pixel and I also have a contact form on the site.

Hi Vesela! Google Analytics has been releasing product updates over the past year to be compliant (check out their series of posts over at http://www.blog.google!) and recently released data retention controls that will allow you to manage how long your user/event data is kept on their services. They’ll also be releasing a deletion tool for individuals who want to exercise the right to be forgotten. Be sure to check out their blog for all sorts of info on this.

Regarding your Facebook Pixel data, the Facebook business site has laid out some best practices regarding consent for cookies on sites and such. Start here to see Facebook’s stance with GDPR and overarching approach to data – http://www.facebook.com/business/gdpr.

All I can say is thank goodness for those in the EU and this is a good model for every other country. It’s too easy to get crap you didn’t ask for, and cleaning out my inbox is a major headache. I abhor marketing that I didn’t want and having to actively opt out. Actively opting in should always be the default.

My question is, do we need to do anything for the people who are already on our lists? Some have double opted in, some have been added because they entered a contest… Do I need to see out repermission or drop them come May 25?

So it actually depends on the method in which they enlisted for your mailing list, which I know can be a major pain in the ass. If they signed up and you have a valid digital trail that shows their express consent (the double opt in that you mention above) you’re okay to leave them as is. In the instance of the contest, that’s trickier. If you were given a list of email addresses, that won’t fly. If they entered a contest and you collected data via a vendor like instafreebie or BookFunnel, you’ve got that digital trail and the data drops right into your CRM database, so that’s fine. For me, I’ve abandoned lists that were received through contests where I’m handed a file of email addresses when all is said and done. Because legally, that wouldn’t hold on the court of law — are those contacts truly authentic? Were they truly aware they were signing up for my mailing list (and the lists of a few dozen more authors in the process? Is there a chance that these emails were purchased or illegally collected in an effort to appease the authors in the contest? You just can’t be certain.

Now some authors have taken it upon themselves to reauthenticate everyone on their email list prior to May 25th. You need to remember that this only affects European Constituents and unless you’re in a position to segment your mailing list by geography, I wouldn’t advise going this route (and yes, some vendors may be able to segment via IP addresses and target those coming from Europe, but this information is unreliable due to rerouting and such).

What you COULD do is in an upcoming newsletter, highlight your opt-out / unsubscribe feature clearly. Or build a landing page to drive your EU constituents to, to explain that you take their privacy seriously and that if they’d like to opt-out, this is what they need to do.

If you aren’t emailing them, leveraging affiliate links or doing anything off of the Blog, you are likely fine. Anyone who is using the “follow feature” (like with WordPress for example) has voluntarily opted in for your blog updates. Those who check in regularly aren’t having data collected based on what you’ve said. You may want to consider a privacy policy at some point down the line if you’re looking to add analytics like a Facebook pixel or google analytics.

What about collecting ISP addresses through analytics on websites? Everything I’ve read states that those ISP addresses are personal data, yet when I questioned my website host company (Host Gator) I was told that those ISP addresses do not constitute personal data – and there is no way to shut off the analytics they provide for page views (including the collection of those ISP addresses). I am at my wit’s end here trying to make my site GDPR compliant, but I don’t know what to do. Do those ISP addresses count? If so, is just putting up a privacy policy stating that Host Gator is saving them good enough? I have no tools in mt dashboard currently that allow me to delete the ISP addresses, so how can I comply with their right to be forgotten? Any help would be appreciated as you seem ot have a handle on all of this.

It is my understanding the IP/ISP details are unreliable because they can be routed through other countries. For example, I can live in Canada, but have an IP directed through the US. If you go solely by that data, you may think you can email with me, but I’d actually be covered by CASL. I believe that some constituents in EU may have a similar setup and hence why that shouldn’t be the sole deciding factor in your decision. The other thing is, is you’ve got this IP address, but what does that mean to you? Do you know the individual and are able to go back and target them and market to them as a result?

Let me ask some folks on my end and see if I can uncover anything. In the meantime, I would consider adding a privacy policy to your website if you haven’t already.

Okay… I can confirm that an IP address in isolation is not considered personal data under the Data Protection Act. The issue becomes when you when you combine the IP address with other identifiable information to build a profile regardless of you know their name.

My head is spinning! I met with my webmaster who says we are good to go. Could you help clarify for me a few points? 1) My one website is informational with no storefront, etc. Links to my blog, information, etc. Also affiliate links. 2) My other site has a bookstore that does not have storefront, but goes through PayPal or Amazon. How does this affect me – or does it? Should I include a link to the PayPal privacy policy? And 3) I also have a blog through Blogger – which contains affiliate links. Will Blogger be updating their info and thereby I will fall under that? Thanks SO much!

Well I’m not a lawyer, so my opinion shouldn’t be taken as legal advice. But if I were in your shoes, here’s what I’d do…add a privacy policy to every single one of your sites. If you use cookies, affiliate links, pixels, tracking tags, data collection of any kind (even if it’s through PayPal), then you want a privacy policy of your own. From here, you can link to your third party privacy policies, but that isn’t required. There are a lot of templates and free resources out there for creating one (start with Mark Dawson or the BBB templates).

The affiliate links disclosures and best practices can be picked up from the amazon affiliate hub. Do know that amazon has shut down affiliate accounts for noncompliance on the disclosure front in the past, so definitely get that one up and posted!

It doesn’t sound like you’re collecting specific data points on people directly on your website for future use, correct?